Creating an OpenSearch cluster

Written by

Updated at January 30, 2026

Roles for creating a cluster
Creating a cluster
Creating a cluster copy
Examples
Managing database connection parameters using Connection Manager

A Managed Service for OpenSearch cluster is a group of multiple interlinked OpenSearch and Dashboards hosts. A cluster provides high search performance by distributing search and indexing tasks across all cluster hosts with the DATA role. To learn more about roles in the cluster, see Host roles.

The available disk types depend on the selected host class.

For more information, see Resource relationships.

Roles for creating a cluster

To create a Managed Service for OpenSearch cluster, you need the vpc.user role and the managed-opensearch.editor role or higher.

To attach your service account to a cluster, e.g., to use Yandex Object Storage, make sure your Yandex Cloud account has the iam.serviceAccounts.user role or higher.

For more information about assigning roles, see this Yandex Identity and Access Management guide.

Creating a cluster

When creating a cluster, you need to specify individual parameters for each host group.

Management console

CLI

Terraform

REST API

gRPC API

To create a Managed Service for OpenSearch cluster:

In the management console, select the folder where you want to create a cluster.
Navigate to the Managed Service for OpenSearch service.
Click Create cluster.
Under Basic parameters:
1. Enter a name for the cluster. It must be unique within the folder.
2. Optionally, enter a description for the cluster.
3. Select the environment where you want to create your cluster (you cannot change the environment once the cluster is created):
  - PRODUCTION: For stable versions of your applications.
  - PRESTABLE: For testing purposes. The prestable environment is similar to the production environment and likewise covered by an SLA, but it is the first to get new features, improvements, and bug fixes. In the prestable environment, you can test new versions for compatibility with your application.
4. Select the OpenSearch version.
5. Select the plugins you want to install in the cluster.
Under Network settings, select the cloud network to host your cluster and security groups for cluster network traffic. You may need to additionally set up security groups to be able connect to the cluster.
Under Virtual node group 1, configure your OpenSearch host group:
1. Select the host group type: OpenSearch.
2. Enter a name for the host group. It must be unique within the cluster.
3. Select the DATA and MANAGER host roles.
4. Select the platform, host type, and host class.
  
  The host class defines the specifications of virtual machines OpenSearch nodes will be deployed on. All available options are listed under Host classes.
5. Select the disk type and data storage size.
  
  The selected type determines the increments in which you can change your disk size:
  - Network HDD and SSD storage: In increments of 1 GB.
  - Local SSD storage:
    - For Intel Cascade Lake: In increments of 100 GB.
    - For Intel Ice Lake: In increments of 368 GB.
  - Non-replicated SSD storage: In increments of 93 GB.
6. Optionally, select Encrypted disk to encrypt the disk with a custom KMS key.
  - To create a new key, click Create.
  - To use the key you created earlier, select it in the KMS key field.
  To learn more about disk encryption, see Storage.
7. Optionally, set up automatic storage expansion:
  - In the Increase size field, specify the conditions for the actions below:
    - Storage expansion during the next maintenance window once the fill level exceeds the specified percentage. If you set this condition, configure the maintenance window schedule.
    - Storage expansion immediately once the fill level exceeds the specified percentage.
      
      Warning
      
      If you set both conditions, make sure the immediate expansion threshold is higher than the scheduled one.
  - Specify the maximum storage size after the expansion in the Maximum storage size field.
  Warning
  - You cannot decrease the storage size.
  - When scaling your storage, the cluster hosts will be unavailable.
8. Specify how hosts should be distributed across availability zones and subnets.
9. Select the number of hosts to create.
10. Enable Public access if you want to allow connections to hosts over the internet.
  
  Tip
  
  For security reasons, we do not recommend enabling public access for hosts with the MANAGER role.
Configure the Dashboards host group under Virtual node group 2, if required:
1. Select the platform, host type, and host class.
2. Configure the storage the same way as for OpenSearch hosts.
3. Specify how hosts should be distributed across availability zones and subnets.
4. Select the number of hosts to create.
5. Enable Public access if you want to allow connections to hosts over the internet.
  
  Tip
  
  You can use OpenSearch Dashboards even if you cannot get public access to your hosts, e.g., for security reasons. To do this, proxy the connections via the virtual machine in Yandex Compute Cloud that resides in the same network as the cluster. For more information, see Connecting to OpenSearch Dashboards.
If required, click Add virtual node group to add another host group or more.
Under Service settings:
1. Enter the password for admin.
  
  The password must include three groups of characters out of these four:
  - Lowercase Latin letters
  - Uppercase Latin letters
  - Numbers
  - Special characters
  The password must be from 10 to 72 characters long.
  
  admin is a dedicated user required to manage the cluster and cannot be deleted. Such a user has the superuser role and can perform any operations with the cluster.
  
  Tip
  
  However, for routine jobs, we recommend creating individual regular users. For more information, see Managing OpenSearch users.
2. If required, change additional cluster settings:
  - Maintenance window: Maintenance window settings:
    - To enable maintenance at any time, select arbitrary (default).
    - To specify the preferred maintenance start time, select by schedule and specify the desired day of the week and UTC hour. For example, you can choose a time when the cluster is least loaded.
    Maintenance operations are carried out both on enabled and disabled clusters. They may include updating the DBMS, applying patches, and so on.
  - Service account: Account for accessing Yandex Object Storage as a repository of OpenSearch snapshots. Learn more about service accounts in this Yandex Identity and Access Management guide.
  - Deletion protection: Manages cluster protection against accidental deletion.
    
    Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.
Click Create cluster.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a Managed Service for OpenSearch cluster:

View the description of the CLI command for creating a cluster:
```
yc managed-opensearch cluster create --help
```
Specify the cluster properties in this command (the example does not show all that are available):
```
yc managed-opensearch cluster create \
   --name <cluster_name> \
   --description <cluster_description> \
   --labels <labels> \
   --environment <environment> \
   --network-name <network_name> \
   --security-group-ids <security_group_IDs> \
   --service-account-name <service_account_name> \
   --delete-protection \
   --maintenance schedule=<maintenance_type>,`
                `weekday=<day_of_week>,`
                `hour=<hour> \
   --disk-encryption-key-id <KMS_key_ID> \
   --version <OpenSearch_version> \
   --read-admin-password \
   --data-transfer-access=<allow_access_from_Data_Transfer> \
   --serverless-access=<allow_access_from_Serverless_Containers> \
   --plugins <OpenSearch_plugins> \
   --advanced-params <additional_parameters> \
   --opensearch-node-group name=<OpenSearch_host_group_name>,`
                          `resource-preset-id=<host_class>,`
                          `disk-size=<disk_size_in_bytes>,`
                          `disk-type-id=<network-hdd|network-ssd|network-ssd-io-m3|network-ssd-nonreplicated|local-ssd>,`
                          `hosts-count=<number_of_hosts_in_group>,`
                          `zone-ids=<availability_zones>,`
                          `subnet-names=<subnet_names>,`
                          `assign-public-ip=<allow_public_access_to_hosts>,`
                          `roles=<host_roles> \
   --dashboards-node-group name=<Dashboards_host_group_name>,`
                          `resource-preset-id=<host_class>,`
                          `disk-size=<disk_size_in_bytes>,`
                          `disk-type-id=<network-ssd>,`
                          `hosts-count=<number_of_hosts_in_group>,`
                          `zone-ids=<availability_zones>,`
                          `subnet-names=<subnet_names>,`
                          `assign-public-ip=<allow_public_access_to_hosts>
```
Where:
- --labels: Yandex Cloud labels in <key>=<value> format. You can use them to logically separate resources.
- --environment: Environment:
  - production: For stable versions of your applications.
  - prestable: For testing purposes. The prestable environment is similar to the production environment and likewise covered by an SLA, but it is the first to get new features, improvements, and bug fixes. In the prestable environment, you can test new versions for compatibility with your application.
- --service-account-name: Name of the service account for accessing Yandex Object Storage as a repository of OpenSearch snapshots. Learn more about service accounts in this Yandex Identity and Access Management guide.
- --deletion-protection: Cluster protection from accidental deletion, true or false.
  
  Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.
- --maintenance: Maintenance window settings:
  - To allow maintenance at any time, do not specify the --maintenance parameter in the command (the default configuration) or specify --maintenance schedule=anytime.
  - To specify the preferred start time for maintenance, specify this parameter in the command: --maintenance schedule=weekly,weekday=<day_of_week>,hour=<hour_in_UTC>. In this case, maintenance will take place every week on a specified day at a specified time.
  Both active and stopped clusters undergo maintenance. Maintenance may involve such operations as applying patches or updating DBMS's.
- --disk-encryption-key-id: Disk encryption with a custom KMS key.
  
  To learn more about disk encryption, see Storage.
- --read-admin-password: admin password. If you specify this parameter in the command, it will prompt you to enter a password.
  
  The password must include three groups of characters out of these four:
  - Lowercase Latin letters
  - Uppercase Latin letters
  - Numbers
  - Special characters
  The password must be from 10 to 72 characters long.
  
  admin is a dedicated user required to manage the cluster and cannot be deleted. Such a user has the superuser role and can perform any operations with the cluster.
  
  Tip
  
  However, for routine jobs, we recommend creating individual regular users. For more information, see Managing OpenSearch users.
- --serverless-access: Access from Yandex Serverless Containers, true or false.
- --plugins: OpenSearch plugins to install in the cluster.
- --advanced-params: Additional cluster parameters. The possible values are:
  - max-clause-count: Maximum allowed number of boolean clauses per query. For more information, see this OpenSearch guide.
  - fielddata-cache-size: JVM heap size allocated for the fielddata data structure. You can specify either an absolute value or percentage, e.g., 512mb or 50%. For more information, see this OpenSearch guide.
  - reindex-remote-whitelist: List of remote hosts whose indexes contain documents to copy for reindexing. Specify the parameter value as <host_address>:<port>. If you need to specify more than one host, list values separated by commas. For more information, see this OpenSearch guide.
- --opensearch-node-group: OpenSearch host group configuration, where:
  - resource-preset-id: Host class that defines the specifications of virtual machines the OpenSearch nodes will be deployed on. All available options are listed under Host classes.
  - disk-size: Disk size, in bytes. The minimum and maximum values depend on the selected host class.
  - disk-type-id: Disk type.
  - zone-ids: Availability zones. Separate zones with commas and enclose them in square brackets, e.g.:
```
zone-ids=[ru-central1-a,ru-central1-b,ru-central1-d]
```
  - subnet-names: Names of the subnets in the specified availability zones. Separate subnets with commas and enclose them in square brackets, e.g.:
```
subnet-names=[default-ru-central1-a,default-ru-central1-b,default-ru-central1-d]
```
    You can specify the subnet-ids parameter with network IDs instead of subnet-names. Separate IDs with commas and enclosed them in square brackets, e.g.:
```
subnet-ids=[e9bp8qmchqh2********,e2l963gkhobo********,fl8klaabecc3********]
```
  - roles: Host roles. The possible values are:
    - data: Assigns the DATA role only.
    - manager: Assigns the MANAGER role only.
    - data+manager or manager+data: Assigns both roles.
    Tip
    
    For security reasons, we do not recommend enabling public access to hosts with the MANAGER role.
- --dashboards-node-group: Dashboards host group configuration. It is configured just as the OpenSearch host group, except for the host roles. You do not need to set up any roles for the Dashboards group.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To create a Managed Service for OpenSearch cluster:

In the configuration file, describe the resources you want to create:

Database cluster: Description of the Managed Service for OpenSearch cluster and its hosts.
Network: Description of the cloud network where a cluster will be located. If you already have a suitable network, you don't have to describe it again.
Subnets: Description of the subnets to connect the cluster hosts to. If you already have suitable subnets, you don't have to describe them again.

Here is an example of the configuration file structure:

resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
  name                   = "<cluster_name>"
  environment            = "<environment>"
  network_id             = "<network_ID>"
  security_group_ids     = ["<list_of_security_group_IDs>"]
  disk_encryption_key_id = <KMS_key_ID>
  deletion_protection    = "<protect_cluster_against_deletion>"

  config {

    version        = "<OpenSearch_version>"
    admin_password = "<admin_password>"

    opensearch {
      node_groups {
        name             = "<virtual_host_group_name>"
        assign_public_ip = <allow_public_access_to_hosts>
        hosts_count      = <number_of_hosts>
        zone_ids         = ["<list_of_availability_zones>"]
        subnet_ids       = ["<list_of_subnet_IDs>"]
        roles            = ["<role_list>"]
        resources {
          resource_preset_id = "<host_class>"
          disk_size          = <storage_size_in_bytes>
          disk_type_id       = "<disk_type>"
        }
      }

      plugins = ["<list_of_plugin_names>"]

    }

    dashboards {
      node_groups {
        name             = "<virtual_host_group_name>"
        assign_public_ip = <allow_public_access_to_hosts>
        hosts_count      = <number_of_hosts>
        zone_ids         = ["<list_of_availability_zones>"]
        subnet_ids       = ["<list_of_subnet_IDs>"]
        resources {
          resource_preset_id = "<host_class>"
          disk_size          = <storage_size_in_bytes>
          disk_type_id       = "<disk_type>"
        }
      }
    }
  }
  maintenance_window {
    type = <maintenance_type>
    day  = <day_of_week>
    hour = <hour>
  }
}

resource "yandex_vpc_network" "<network_name>" { 
  name = "<network_name>"
}

resource "yandex_vpc_subnet" "<subnet_name>" {
  name           = "<subnet_name>"
  zone           = "<availability_zone>"
  network_id     = "<network_ID>"
  v4_cidr_blocks = ["<range>"]
}

Where:

environment: Environment, PRESTABLE or PRODUCTION.
disk_encryption_key_id: Disk encryption with a custom KMS key.

To learn more about disk encryption, see Storage.
deletion_protection: Cluster protection against accidental deletion, true or false.

Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.
admin_password: admin password.

The password must include three groups of characters out of these four:
- Lowercase Latin letters
- Uppercase Latin letters
- Numbers
- Special characters
The password must be from 10 to 72 characters long.

admin is a dedicated user required to manage the cluster and cannot be deleted. Such a user has the superuser role and can perform any operations with the cluster.

Tip

However, for routine jobs, we recommend creating individual regular users. For more information, see Managing OpenSearch users.
assign_public_ip: Public access to the host, true or false.
roles: Host roles, DATA and MANAGER.
maintenance_window: Maintenance window (for stopped clusters as well):
- type: Maintenance type. The possible values include:
  - ANYTIME: At any time.
  - WEEKLY: On schedule.
- day: Day of week in DDD format for the WEEKLY type, e.g., MON.
- hour: Time of day (UTC) in HH format for the WEEKLY type, e.g., 21.

For a complete list of Managed Service for OpenSearch cluster configuration fields you can update, see this Terraform provider guide.

Make sure the settings are correct.
1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
2. Run this command:
```
terraform validate
```
  Terraform will show any errors found in your configuration files.
Create a cluster.
1. Run this command to view the planned changes:
```
terraform plan
```
  If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
2. If everything looks correct, apply the changes:
  1. Run this command:
```
terraform apply
```
  2. Confirm updating the resources.
  3. Wait for the operation to complete.
Timeouts
The Terraform provider sets the following timeouts for Managed Service for OpenSearch cluster operations:
- Creating a cluster, including by restoring it from a backup: 30 minutes.
- Updating a cluster: 60 minutes.
- Deleting a cluster: 15 minutes.
Operations exceeding the timeout are aborted.
How do I change these limits?
Add a timeouts section to the cluster description, e.g.:

resource "yandex_mdb_opensearch_cluster" "<cluster_name>" { ... timeouts { create = "1h30m" # 1 hour 30 minutes update = "2h" # 2 hours delete = "30m" # 30 minutes } }

Get an IAM token for API authentication and put it in an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```

Create a file named body.json and paste the following code into it:

{
    "folderId": "<folder_ID>",
    "name": "<cluster_name>",
    "environment": "<environment>",
    "networkId": "<network_ID>",
    "securityGroupIds": [
        "<security_group_1_ID>",
        "<security_group_2_ID>",
        ...
        "<security_group_N_ID>"
    ],
    "serviceAccountId": "<service_account_ID>",
    "deletionProtection": <protect_cluster_against_deletion>,
    "configSpec": {
        "version": "<OpenSearch_version>",
        "adminPassword": "<admin_password>",
        "opensearchSpec": {
            "plugins": [
                "<OpenSearch_plugin_1>",
                "<OpenSearch_plugin_2>",
                ...
                "<OpenSearch_plugin_N>"
            ],
            "nodeGroups": [
                {
                    "name": "<host_group_name>",
                    "resources": {
                        "resourcePresetId": "<host_class>",
                        "diskSize": "<storage_size_in_bytes>",
                        "diskTypeId": "<disk_type>"
                    },
                    "roles": ["<role_1>","<role_2>"],
                    "hostsCount": "<number_of_hosts>",
                    "zoneIds": [
                        "<availability_zone_1>",
                        "<availability_zone_2>",
                        "<availability_zone_3>"
                    ],
                    "subnetIds": [
                        "<subnet_1_ID>",
                        "<subnet_2_ID>",
                        "<subnet_3_ID>"
                    ],
                    "assignPublicIp": <allow_public_access_to_hosts>,
                    "diskSizeAutoscaling": {
                        "plannedUsageThreshold": "<scheduled_expansion_percentage>",
                        "emergencyUsageThreshold": "<immediate_expansion_percentage>",
                        "diskSizeLimit": "<maximum_storage_size_in_bytes>"
                    }
                },
                ...
            ]
        },
        "dashboardsSpec": {
            "nodeGroups": [
                {
                    "name": "<host_group_name>",
                    "resources": {
                        "resourcePresetId": "<host_class>",
                        "diskSize": "<storage_size_in_bytes>",
                        "diskTypeId": "<disk_type>"
                    },
                    "hostsCount": "<number_of_hosts>",
                    "zoneIds": ["<availability_zone>"],
                    "subnetIds": ["<subnet_ID>"],
                    "assignPublicIp": <allow_public_access_to_hosts>,
                    "diskSizeAutoscaling": {
                        "plannedUsageThreshold": "<scheduled_expansion_percentage>",
                        "emergencyUsageThreshold": "<immediate_expansion_percentage>",
                        "diskSizeLimit": "<maximum_storage_size_in_bytes>"
                    }
                }
            ]
        },
        "access": {
            "dataTransfer": <allow_access_from_Data_Transfer>,
            "serverless": <allow_access_from_Serverless_Containers>
        }
    },
    "maintenanceWindow": {
        "weeklyMaintenanceWindow": {
            "day": "<day_of_week>",
            "hour": "<hour>"
        }
    }
}

Where:

folderId: Folder ID. You can get it with the list of folders in the cloud.
name: Cluster name.
environment: Cluster environment, PRODUCTION or PRESTABLE.
networkId: ID of the network where the cluster will be deployed.
securityGroupIds: Security group IDs.
serviceAccountId: ID of the service account used for cluster operations.
deletionProtection: Cluster protection against accidental deletion, true or false.

Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.
configSpec: Cluster settings:
- version: OpenSearch version.
- adminPassword: admin password.
  
  The password must include three groups of characters out of these four:
  - Lowercase Latin letters
  - Uppercase Latin letters
  - Numbers
  - Special characters
  The password must be from 10 to 72 characters long.
  
  admin is a dedicated user required to manage the cluster and cannot be deleted. Such a user has the superuser role and can perform any operations with the cluster.
  
  Tip
  
  However, for routine jobs, we recommend creating individual regular users. For more information, see Managing OpenSearch users.
- opensearchSpec: OpenSearch host group settings:
  - plugins: List of OpenSearch plugins to additionally install in the cluster.
  - nodeGroups: Host settings as an array of elements, one per host group. Each element has the following structure:
    - name: Host group name.
    - resources: Cluster resources:
      - resourcePresetId: Host class.
      - diskSize: Disk size, in bytes.
      - diskTypeId: Disk type.
    - roles: List of host roles. A cluster must include at least one group of DATA hosts and one group of MANAGER hosts. This can be a single group with two roles or multiple groups with different roles.
    - hostsCount: Number of hosts in the group. The minimum number of DATA hosts is one, while the minimum number of MANAGER hosts is three.
    - zoneIds: List of availability zones the cluster hosts are located in.
    - subnetIds: List of subnet IDs.
    - assignPublicIp: Permission to connect to the host from the internet, true or false.
    - diskSizeAutoscaling: Automatic storage expansion settings:
      - plannedUsageThreshold: Storage usage percentage to trigger a storage expansion during the next maintenance window.
        
        Use a value between 0 and 100%. The default value is 0, i.e., automatic expansion is disabled.
        
        If you set this condition, configure the maintenance window schedule in the maintenanceWindow parameter.
      - emergencyUsageThreshold: Storage usage percentage to trigger an immediate storage expansion.
        
        Use a value between 0 and 100%. The default value is 0, i.e., automatic expansion is disabled.
        
        Warning
        
        If you specify both thresholds, emergencyUsageThreshold must not be less than plannedUsageThreshold.
      - diskSizeLimit: Maximum storage size, in bytes, to set when storage usage reaches one of the specified thresholds.
      Warning
      
      You cannot decrease the storage size.
      
      When scaling your storage, the cluster hosts will be unavailable.
- dashboardsSpec: Dashboards host group settings that contain the nodeGroups parameter of the same structure as opensearchSpec.nodeGroups, except for the roles parameter. The Dashboards hosts have only one role, DASHBOARDS, so there is no need to specify it.
- access: Cluster access settings for the following Yandex Cloud services:
  - dataTransfer: Yandex Data Transfer
  - serverless: Yandex Serverless Containers
  The possible setting values are true or false.
maintenance_window.weeklyMaintenanceWindow: Maintenance window schedule:
- day: Day of the week, in DDD format, for scheduled maintenance.
- hour: Hour, in HH format, for scheduled maintenance. The possible values range from 1 to 24. Use the UTC time zone.

Call the Cluster.Create method, e.g., via the following cURL request:

curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters' \
    --data "@body.json"

View the server response to make sure your request was successful.

Get an IAM token for API authentication and put it in an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

Create a file named body.json and paste the following code into it:

{
    "folder_id": "<folder_ID>",
    "name": "<cluster_name>",
    "environment": "<environment>",
    "network_id": "<network_ID>",
    "security_group_ids": [
        "<security_group_1_ID>",
        "<security_group_2_ID>",
        ...
        "<security_group_N_ID>"
    ],
    "service_account_id": "<service_account_ID>",
    "deletion_protection": <protect_cluster_against_deletion>,
    "config_spec": {
        "version": "<OpenSearch_version>",
        "admin_password": "<admin_password>",
        "opensearch_spec": {
            "plugins": [
                "<OpenSearch_plugin_1>",
                "<OpenSearch_plugin_2>",
                ...
                "<OpenSearch_plugin_N>"
            ],
            "node_groups": [
                {
                    "name": "<host_group_name>",
                    "resources": {
                        "resource_preset_id": "<host_class>",
                        "disk_size": "<storage_size_in_bytes>",
                        "disk_type_id": "<disk_type>"
                    },
                    "roles": ["<role_1>","<role_2>"],
                    "hosts_count": "<number_of_hosts>",
                    "zone_ids": [
                        "<availability_zone_1>",
                        "<availability_zone_2>",
                        "<availability_zone_3>"
                    ],
                    "subnet_ids": [
                        "<subnet_1_ID>",
                        "<subnet_2_ID>",
                        "<subnet_3_ID>"
                    ],
                    "assign_public_ip": <allow_public_access_to_hosts>,
                    "disk_size_autoscaling": {
                        "planned_usage_threshold": "<scheduled_expansion_percentage>",
                        "emergency_usage_threshold": "<immediate_expansion_percentage>",
                        "disk_size_limit": "<maximum_storage_size_in_bytes>"
                    }
                },
                ...
            ]
        },
        "dashboards_spec": {
            "node_groups": [
                {
                    "name": "<host_group_name>",
                    "resources": {
                        "resource_preset_id": "<host_class>",
                        "disk_size": "<storage_size_in_bytes>",
                        "disk_type_id": "<disk_type>"
                    },
                    "hosts_count": "<number_of_hosts>",
                    "zone_ids": ["<availability_zone>"],
                    "subnet_ids": ["<subnet_ID>"],
                    "assign_public_ip": <allow_public_access_to_hosts>,
                    "disk_size_autoscaling": {
                        "planned_usage_threshold": "<scheduled_expansion_percentage>",
                        "emergency_usage_threshold": "<immediate_expansion_percentage>",
                        "disk_size_limit": "<maximum_storage_size_in_bytes>"
                    }
                }
            ]
        },
        "access": {
            "data_transfer": <allow_access_from_Data_Transfer>,
            "serverless": <allow_access_from_Serverless_Containers>
        }
    },
    "maintenance_window": {
        "weekly_maintenance_window": {
            "day": "<day_of_week>",
            "hour": "<hour>"
        }
    }
}

Where:

folder_id: Folder ID. You can get it with the list of folders in the cloud.
name: Cluster name.
environment: Cluster environment, PRODUCTION or PRESTABLE.
network_id: ID of the network where the cluster will be deployed.
security_group_ids: Security group IDs.
service_account_id: ID of the service account used for cluster operations.
deletion_protection: Cluster protection against accidental deletion, true or false.

Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.
config_spec: Cluster settings:
- version: OpenSearch version.
- admin_password: admin password.
  
  The password must include three groups of characters out of these four:
  - Lowercase Latin letters
  - Uppercase Latin letters
  - Numbers
  - Special characters
  The password must be from 10 to 72 characters long.
  
  admin is a dedicated user required to manage the cluster and cannot be deleted. Such a user has the superuser role and can perform any operations with the cluster.
  
  Tip
  
  However, for routine jobs, we recommend creating individual regular users. For more information, see Managing OpenSearch users.
- opensearch_spec: OpenSearch host group settings:
  - plugins: List of OpenSearch plugins to additionally install in the cluster.
  - node_groups: Host settings as an array of elements, one per host group. Each element has the following structure:
    - name: Host group name.
    - resources: Cluster resources:
      - resource_preset_id: Host class.
      - disk_size: Disk size, in bytes.
      - disk_type_id: Disk type.
    - roles: List of host roles. A cluster must include at least one group of DATA hosts and one group of MANAGER hosts. This can be a single group with two roles or multiple groups with different roles.
    - hosts_count: Number of hosts in the group. The minimum number of DATA hosts is one, while the minimum number of MANAGER hosts is three.
    - zone_ids: List of availability zones the cluster hosts are located in.
    - subnet_ids: List of subnet IDs.
    - assign_public_ip: Permission to connect to the host from the internet, true or false.
    - disk_size_autoscaling: Automatic storage expansion settings:
      - planned_usage_threshold: Storage usage percentage to trigger a storage expansion during the next maintenance window.
        
        Use a value between 0 and 100%. The default value is 0, i.e., automatic expansion is disabled.
        
        If you set this condition, configure the maintenance window schedule in the maintenance_window parameter.
      - emergency_usage_threshold: Storage usage percentage to trigger an immediate storage expansion.
        
        Use a value between 0 and 100%. The default value is 0, i.e., automatic expansion is disabled.
        
        Warning
        
        If you specify both thresholds, emergency_usage_threshold must not be less than planned_usage_threshold.
      - disk_size_limit: Maximum storage size, in bytes, to set when storage usage reaches one of the specified thresholds.
      Warning
      
      You cannot decrease the storage size.
      
      When scaling your storage, the cluster hosts will be unavailable.
- dashboards_spec: Dashboards host group settings that contain the node_groups parameter of the same structure as opensearch_spec.node_groups, except for the roles parameter. The Dashboards hosts have only one role, DASHBOARDS, so there is no need to specify it.
- access: Cluster access settings for the following Yandex Cloud services:
  - data_transfer: Yandex Data Transfer
  - serverless: Yandex Serverless Containers
  The possible setting values are true or false.
maintenance_window.weekly_maintenance_window: Maintenance window schedule:
- day: Day of the week, in DDD format, for scheduled maintenance.
- hour: Hour, in HH format, for scheduled maintenance. The possible values range from 1 to 24. Use the UTC time zone.

Call the ClusterService.Create method, e.g., via the following gRPCurl request:

grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d @ \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.opensearch.v1.ClusterService.Create \
    < body.json

View the server response to make sure your request was successful.

Creating a cluster copy

You can create an OpenSearch cluster with the settings of another one created earlier. To do this, import the original OpenSearch cluster configuration to Terraform. This way, you can either create an identical copy or use the imported configuration as the baseline and modify it as needed. The import feature is useful when you need to replicate an OpenSearch cluster with multiple settings.

To create an OpenSearch cluster copy:

Terraform

If you do not have Terraform yet, install it.
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
In the same working directory, place a .tf file with the following contents:
```
resource "yandex_mdb_opensearch_cluster" "old" { }
```
Save the ID of the original OpenSearch cluster to an environment variable:
```
export OPENSEARCH_CLUSTER_ID=<cluster_ID>
```
You can get the ID with the list of clusters in the folder.
Import the original OpenSearch cluster settings to the Terraform configuration:
```
terraform import yandex_mdb_opensearch_cluster.old ${OPENSEARCH_CLUSTER_ID}
```
Get the imported configuration:
```
terraform show
```
Copy it from the terminal and paste it into the .tf file.
Place the file in the new imported-cluster directory.
Edit the copied configuration so that you can create a new cluster from it:
- Specify the new cluster name in the resource string and the name parameter.
- Delete the created_at, health, id, and status parameters.
- Add the admin_password parameter to the config section.
- If you have type = "ANYTIME" in the maintenance_window section, delete the hour parameter.
- Optionally, make further changes if you need a customized configuration.
Get the authentication credentials in the imported-cluster directory.
In the same directory, configure and initialize the provider. There is no need to create a provider configuration file manually, as you can download it.
Place the configuration file in the imported-cluster directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
Make sure the Terraform configuration files are correct:
```
terraform validate
```
Terraform will display any configuration errors detected in your files.
Create the required infrastructure:
1. Run this command to view the planned changes:
```
terraform plan
```
  If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
2. If everything looks correct, apply the changes:
  1. Run this command:
```
terraform apply
```
  2. Confirm updating the resources.
  3. Wait for the operation to complete.
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Timeouts

The Terraform provider sets the following timeouts for Managed Service for OpenSearch cluster operations:

Creating a cluster, including by restoring it from a backup: 30 minutes.
Updating a cluster: 60 minutes.
Deleting a cluster: 15 minutes.

Operations exceeding the timeout are aborted.

How do I change these limits?

Add a timeouts section to the cluster description, e.g.:

resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

Examples

CLI

Terraform

Create a Managed Service for OpenSearch cluster with the following test specifications:

Name: my-os-clstr.
Description: My OS cluster.
Label: label-key with label-value.
Environment: production.
Network name: default.
Security group ID: enp6saqnq4ie244g67sb.
Service account name: os-account.
Deletion protection: Disabled.
Maintenance time: Every Monday from 13:00 till 14:00.
OpenSearch version: 2.12.
admin password: Specified after entering the cluster create command.
Access to Data Transfer: Enabled.
Access to Serverless Containers: Enabled.
OpenSearch added plugin: analysis-icu.
OpenSearch additional parameter: fielddata-cache-size=50%.
OpenSearch node group configuration:
- Node group name: os-group.
- Host class: s2.micro.
- Disk size: 10737418240 (in bytes).
- Disk type: network-ssd.
- Number of hosts: 3.
- Availability zone: ru-central1-a.
- Subnet: default-ru-central1-a.
- Public address: Assigned.
- Host group roles: DATA and MANAGER.
Dashboards host group configuration:
- Host group name: dashboard-group.
- Host class: s2.micro.
- Disk size: 10737418240 (in bytes).
- Disk type: network-ssd.
- Number of hosts: 1.
- Availability zone: ru-central1-a.
- Subnet: default-ru-central1-a.
- Public address: Assigned.

Run this command:

yc managed-opensearch cluster create \
   --name my-os-clstr \
   --description "My OS cluster" \
   --labels label-key=label-value \
   --environment production \
   --network-name default \
   --security-group-ids enp6saqnq4ie244g67sb \
   --service-account-name os-account \
   --delete-protection \
   --maintenance schedule=weekly,`
                `weekday=mon,`
                `hour=14 \
   --version 2.12 \
   --read-admin-password \
   --data-transfer-access=true \
   --serverless-access=true \
   --plugins analysis-icu \
   --advanced-params fielddata-cache-size=50% \
   --opensearch-node-group name=os-group,`
                          `resource-preset-id=s2.micro,`
                          `disk-size=10737418240,`
                          `disk-type-id=network-ssd,`
                          `hosts-count=3,`
                          `zone-ids=ru-central1-a,`
                          `subnet-names=default-ru-central1-a,`
                          `assign-public-ip=true,`
                          `roles=data+manager \
   --dashboards-node-group name=dashboard-group,`
                          `resource-preset-id=s2.micro,`
                          `disk-size=10737418240,`
                          `disk-type-id=network-ssd,`
                          `hosts-count=1,`
                          `zone-ids=ru-central1-a,`
                          `subnet-names=default-ru-central1-a,`
                          `assign-public-ip=true

Create a Managed Service for OpenSearch cluster with the following test specifications:

Name: my-os-clstr.
Environment: PRODUCTION.
OpenSearch version: 2.12.
admin password: osAdminpwd1.
OpenSearch node group configuration:
- OpenSearch node group name: os-group.
- Host class: s2.micro.
- Disk size: 10737418240 (in bytes).
- Disk type: network-ssd.
- Number of hosts: 3.
- Availability zone: ru-central1-a.
- Public address: Assigned.
- Host group roles: DATA and MANAGER.
Dashboards host group configuration:
- Host group name: dashboard-group.
- Host class: s2.micro.
- Disk size: 10737418240 (in bytes).
- Disk type: network-ssd.
- Number of hosts: 1.
- Availability zone: ru-central1-a.
- Public address: Assigned.
Maintenance time: Every Monday from 13:00 till 14:00.
Network name: mynet.
Subnet name: mysubnet.
Availability zone: ru-central1-a.
Address range: 10.1.0.0/16.
Security group name: os-sg. The security group allows connecting to the cluster host from any network (including the internet) on port 9200.

The configuration file for this cluster is as follows:

resource "yandex_mdb_opensearch_cluster" "my-os-clstr" {
  name               = "my-os-clstr"
  environment        = "PRODUCTION"
  network_id         = yandex_vpc_network.mynet.id
  security_group_ids = [yandex_vpc_security_group.os-sg.id]

  config {

    version        = "2.12"
    admin_password = "osAdminpwd1"

    opensearch {
      node_groups {
        name             = "os-group"
        assign_public_ip = true
        hosts_count      = 3
        zone_ids         = ["ru-central1-a"]
        subnet_ids       = [yandex_vpc_subnet.mysubnet.id]
        roles            = ["DATA", "MANAGER"]
        resources {
          resource_preset_id = "s2.micro"
          disk_size          = 10737418240
          disk_type_id       = "network-ssd"
        }
      }
    }

    dashboards {
      node_groups {
        name             = "dashboard-group"
        assign_public_ip = true
        hosts_count      = 1
        zone_ids         = ["ru-central1-a"]
        subnet_ids       = [yandex_vpc_subnet.mysubnet.id]
        resources {
          resource_preset_id = "s2.micro"
          disk_size          = 10737418240
          disk_type_id       = "network-ssd"
        }
      }
    }

  }

  maintenance_window {
    type = "WEEKLY"
    day  = "MON"
    hour = 14
  }
}

resource "yandex_vpc_network" "mynet" {
  name = "mynet"
}

resource "yandex_vpc_subnet" "mysubnet" {
  name           = "mysubnet"
  zone           = "ru-central1-a"
  network_id     = yandex_vpc_network.mynet.id
  v4_cidr_blocks = ["10.1.0.0/16"]
}

resource "yandex_vpc_security_group" "os-sg" {
  name       = "os-sg"
  network_id = yandex_vpc_network.mynet.id

  ingress {
    description    = "Allow connections to the Managed Service for OpenSearch cluster from the Internet"
    protocol       = "TCP"
    port           = 9200
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    description    = "The rule allows all outgoing traffic"
    protocol       = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port      = 0
    to_port        = 65535
  }
}

Managing database connection parameters using Connection Manager

If your cloud or folder has access to Connection Manager public preview, a new connection entity will appear in your folder after you create a cluster. You can use it to manage database connection parameters.

Passwords and other sensitive data will be stored in a Yandex Lockbox secret. To see which secrets store connection information for your cluster, select Lockbox in the list of services in your folder. You will find you cluster's ID on the Secrets page in the secret dependencies column.

You can also use Connection Manager to configure access to connections.

Creating an OpenSearch cluster

Roles for creating a clusterRoles for creating a cluster

Creating a clusterCreating a cluster

Creating a cluster copyCreating a cluster copy

ExamplesExamples

Managing database connection parameters using Connection ManagerManaging database connection parameters using Connection Manager

Was the article helpful?

Roles for creating a cluster

Creating a cluster

Creating a cluster copy

Examples

Managing database connection parameters using Connection Manager